[OWASP-LEADERS] Big welcome to Carric / Server Setup

David Raphael david.raphael at ceterum.net
Fri Nov 8 23:08:06 EST 2002


Hello Everyone,

Welcome Carric! Its great to hear more people are interested in the
cause!

To business:

Are we comfortable with Apache 2 being the most secure?  I am not a
Linux security specialist, but I don't believe that Apache 2 has had
the same exposure as 1.3.xx ...What does everybody think?  

I like the idea of no Port other than 80 being open.  A terminal server
might be a good alternative for remote administration!  Maybe we could 
get a hold of a little cyclades or something.  Please give you comments.
Use dial-in only access.  Or if it is on some kind of Private LAN with 
alternative access.

What does anyone think about this?

-Dave


> -----Original Message-----
> From: owasp-leaders-admin at lists.sourceforge.net
> [mailto:owasp-leaders-admin at lists.sourceforge.net]On Behalf Of Ingo
> Struck
> Sent: Thursday, November 07, 2002 6:29 AM
> To: owasp-leaders at lists.sourceforge.net
> Cc: mark at curphey.com
> Subject: [OWASP-LEADERS] Big welcome to Carric / Server Setup
> 
> 
> Hi Carric,
> 
> I assume that Mark put you on this list, so welcome at the 
> OWASP staff.
> It is really great that you volunteered for some admin work 
> and that you
> could provide a hosting location for our production servers.
> Thanks a lot!
> 
> Some weeks ago I already sent a personal wishlist for the 
> production server
> setup, so I simply repost it here:
> 
> === snip ===
> 
> Here you go with a detailed wishlist for the server configuration:
> (I am currently not sure, whether the BSD or a linux box will be
>  used for vulnxml - that makes no difference for me)
> 
> 1. The file system setup *must* provide separate partitions for
>     /var and /tmp
> 2. The file system setup *should* provide separate partitions for
>     /opt , /usr and /home
> 3. All apache stuff goes to /opt/apache, i.e.:
>    /opt/apache/httpd      httpd (preferably 2.0.43, 1.3.27 
> will do as well)
>    /opt/apache/tomcat    tomcat (4.1.12)
>    (I will provide the appropriate conf files for httpd 2.0 
> and for tomcat)
> 4. The vulnxml application goes to /opt/owasp/vulnxml
>     (I will provide this directory in a whole as tar.bz2)
> 5. absolutely no ftp, telnet, finger or other crap access
> 6. only port 80 open for remote access (best would be a package filter
>    firewall), if *really* necessary port 22 for ssh
> 5. If it is somehow possible (i.e. you have got the servers 
> near to you)
>    NO SSH ACCESS AT ALL
> 
> Due to our project goals I expect our apps to be attacked more than
> an average web app. Thats why I want the servers as leakproof as
> possible.
> 
> === snap ==
> 
> Kind regards
> 
> Ingo
>     
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: See the NEW Palm 
> Tungsten T handheld. Power & Color in a compact size!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> _______________________________________________
> Owasp-leaders mailing list
> Owasp-leaders at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders
> 
> 




More information about the OWASP-Leaders mailing list